As USM Anywhere surfaces events, alarms, and vulnerabilities, you can use Palo Alto Networks Panorama actions to respond to the events in your environment. Rather than manually adding addresses in the Panorama user interface (UI) and entering the relevant information, you can use the AlienApp for Palo Alto Networks Panorama response actions to automatically manage your Palo Alto Networks address groups using information from your USM Anywhere environment. The table below shows the actions.
Add Address to Address Group
Run this action to add the source, destination, or custom address to a group in your Panorama environment. If the group doesn't exist in Panorama, it will be created by the action from USM Anywhere.
|Remove Address from Address Group||Run this action to remove the source, destination, or custom address to a group in your Panorama environment.|
|Add Tag to Address||Add a Panorama tag to an address. You can select either an existing tag from Panorama, or create a new one.|
|Add Tag to Address Group||Add a Panorama tag to an address group. You can select either an existing tag from Panorama, or create a new one.|
|Add Address to URL Category||
Add a source or destination address to a Palo Alto Networks Panorama URL category to allow, alert, or block the URL based on the selected existing profile.
You can include optional pre-rule or post-rule policies that are based on your Panorama policy profiles. If you select an Associated Profile in the action, the user will receive an alert if the policy is violated.
|Add IP to External Block List||Add an IP address to the Palo Alto Networks Panorama external block list.|
|Add Domain to External Block List||Add a domain to the Palo Alto Networks Panorama external block list.|
|Add URL to External Block List||Add a URL to the Palo Alto Networks Panorama external block list.|
To view information about these actions in USM Anywhere
- In USM Anywhere, go to Data Sources > AlienApps.
- Click the Available Apps tab.
- Search for the AlienApp, and then click the tile.
- Click the Actions tab to display information for the supported actions.
- Click the History tab to display information about the executed orchestration actions.
Launch Actions from USM Anywhere
When you review the information in the Alarm Details, Event Details, or Vulnerability Details, you can easily launch an action to send a request to your connected Panorama instance to add source or destination IP address information to an existing Panorama group. If you want to apply an action to similar events that occur in the future, you can also create orchestration rules directly from an action applied to an alarm, event, or vulnerability.
To launch a Panorama response action for an alarm, event, or vulnerability
- Go to Activity > Alarms, Activity > Events, or Environment > Vulnerabilities.
- Click the alarm, event, or vulnerability to open the details.
- Click Select Action.
In the Select Action dialog box, select Run Panorama Action.
Select the app action and fill out the fields that are populated in the window.
After USM Anywhere initiates the action for an alarm or event, it displays a confirmation dialog box.
If you want to create a rule to apply the action to similar items that occur in the future, click Create rule for similar alarms or Create rule for similar events and define the new rule. If not, click OK.
The external block lists for IP addresses, domains, and URLs, are all contained in the AlienApp for Palo Alto Networks Panorama page (Data Sources > AlienApps > Palo Alto Panorama). For each tab, you can see the list of all the items on the block list, and you can remove individual items by clicking the icon next to the item. Each tab also contains these buttons above the list:
- Add: Opens a dialog box to add an IP address, domain, or URL to the list.
Import: Opens a dialog box to import a text file to import a list of IP addresses, domains, or URLs to the list. This enables you to take your copied block list from another sensor and apply it to the current sensor.
- Export: Exports the entire IP address, domain, or URL list as a downloadable .txt file. This enables you to copy your block list to another sensor.
- Clear: Clears the entire IP address, domain, or URL list.